oauthlint 0.6.0 → 0.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +4 -4
  2. package/package.json +1 -1
package/README.md CHANGED
@@ -42,7 +42,7 @@ npx oauthlint scan ./src --format html > report.html
42
42
  npx oauthlint explain auth.jwt.alg-none
43
43
  ```
44
44
 
45
- Scan only what changed for fast pre-commit hooks and editors with `--diff` / `--staged`, or adopt on a large repo with a [baseline](https://oauthlint.dev/docs/baseline) (`oauthlint baseline ./src` then `scan --baseline`) so you're alerted on **new** findings only. Other commands: `list`, `explain`, `init`, `doctor`. Run `oauthlint --help` or see the [full CLI reference](https://oauthlint.dev/docs/cli).
45
+ Scan only what changed for fast pre-commit hooks and editors with `--diff` / `--staged`, or adopt on a large repo with a [baseline](https://oauthlint.dev/docs/cli#baseline) (`oauthlint baseline ./src` then `scan --baseline`) so you're alerted on **new** findings only. Other commands: `list`, `explain`, `init`, `doctor`. Run `oauthlint --help` or see the [full CLI reference](https://oauthlint.dev/docs/cli).
46
46
 
47
47
  ### Every finding teaches
48
48
 
@@ -50,12 +50,12 @@ Each finding ends with a hint, `↳ run \`oauthlint explain <rule-id>\` for deta
50
50
 
51
51
  ## What it catches
52
52
 
53
- LLM coding assistants (Cursor, Claude, Copilot, Gemini) ship the *same* auth bugs across every project: a JWT accepted with `alg: none`, a hard-coded `client_secret`, an OAuth flow with no `state`/PKCE, a token in `localStorage`, a `*` wildcard `redirect_uri`, an unrate-limited `/login`, a plaintext password, `Math.random()` for a CSRF token.
53
+ AI coding assistants — tools like GitHub Copilot, Cursor, and Claude Code, and others — ship the *same* auth bugs across every project: a JWT accepted with `alg: none`, a hard-coded `client_secret`, an OAuth flow with no `state`/PKCE, a token in `localStorage`, a `*` wildcard `redirect_uri`, an unrate-limited `/login`, a plaintext password, `Math.random()` for a CSRF token.
54
54
 
55
55
  - **100+ rules** across **JS/TS · Python · Go · Java · Rust**, each mapped to CWE/OWASP with a fix page (a lesson, not a grep hit).
56
56
  - **Dataflow (taint) analysis.** Beyond pattern-matching, the pack traces untrusted input through to dangerous sinks to catch **open-redirect** and **SSRF**.
57
57
  - **HTML report.** `scan --format html` renders a self-contained, offline, no-JavaScript audit you can email or attach to a PR.
58
- - Plus **SARIF** for Code Scanning, `--fix` for safe auto-fixes, incremental `--diff`/`--staged`, and a [baseline](https://oauthlint.dev/docs/baseline) for existing codebases.
58
+ - Plus **SARIF** for Code Scanning, `--fix` for safe auto-fixes, incremental `--diff`/`--staged`, and a [baseline](https://oauthlint.dev/docs/cli#baseline) for existing codebases.
59
59
 
60
60
  👉 **Browse the always-current catalogue at [oauthlint.dev/rules](https://oauthlint.dev/rules/).**
61
61
 
@@ -73,7 +73,7 @@ Per-language bundles exist too (`oauthlint-python.yaml`, `oauthlint-go.yaml`,
73
73
 
74
74
  Honest answer: nothing stops you writing these rules yourself. Semgrep is open source and it's the engine we run, so there's no technical moat. What oauthlint gives you is the work most people never do:
75
75
 
76
- - **Low false positives, validated against real auth libraries.** `jose`, NextAuth, PyJWT, Authlib, `golang/oauth2`, `oauth2-rs`, Spring Security and more. Anything that fires on mature library source goes to a triage queue, not to you ([validation report](https://oauthlint.dev/VALIDATION)).
76
+ - **Low false positives, validated against real auth libraries.** `jose`, NextAuth, PyJWT, Authlib, `golang/oauth2`, `oauth2-rs`, Spring Security and more. Anything that fires on mature library source goes to a triage queue, not to you ([validation report](https://oauthlint.dev/validation)).
77
77
  - **One coherent product across every language.** Same concepts, same ID scheme, same docs, not a patchwork of community rules.
78
78
  - **The angle the registry doesn't have.** It targets the auth bugs AI tools ship on repeat, encoded in each rule's `llm-prevalence` metadata and measured by a reproducible benchmark ([the research](https://oauthlint.dev/research)).
79
79
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "oauthlint",
3
- "version": "0.6.0",
3
+ "version": "0.6.1",
4
4
  "description": "Catch the OAuth/OIDC/JWT anti-patterns AI coding tools systematically produce. CLI wrapper around the oauthlint-rules Semgrep rule pack.",
5
5
  "type": "module",
6
6
  "main": "./dist/index.js",